Preparation for Recitation on Botnets
Read Your Botnet is My Botnet: Analysis of a Botnet Takeover by Stone-Gross, et al. You can skim §5.2.1-§5.2.3.
- Section 2 explains how Torpig infects a user's machine. After reading this section, you should understand how that happens: how the rootkit gets installed and why its installation remains undetected.
- Section 3 explains the technique (domain flux) by which Torpig bots communicate with the C&C (command and control) server. After reading this section, you should understand why it's difficult to simply block bots from accessing the C&C server.
- Section 4 explains how the authors were able to take control of the Torpig botnet for a few weeks.
- Sections 5 and 6 give an analysis of the botnet based on the authors' takeover. (Remember you can skim §5.2.1-§5.2.3)
- What tools and/or threat models are violated by Torpig?
- Think about the key factors that allowed the authors to infiltrate the Torpig botnet. Would their techniques work for all botnets?
- Was the authors' methodology -- taking over the botnet -- necessary to collect the data they wanted? Was it ethical?
Question for Recitation
Before you come to this recitation, write up (on paper) a brief answer to the following (really—we don't need more than a couple sentences for each question). If your TA has requested that you email your answer to them, you may do that instead, but it should still be handed in before your recitation begins.
Your answers to these questions should be in your own words, not direct quotations from the paper.
- What does it mean for a computer to be a "bot"?
- In Torpig, how does a machine become a bot, and how does it receive instructions to carry out attacks?
- Why is it difficult to prevent a machine from becoming a bot? Why is it difficult to simply block bots from accessing the C&C server?